Approach

We're going to use a Java EE filter to intercept requests before they reach our application. We could have just stripped off the anchor part of the URL, but that's not how HTTP works. The anchor isn't actually sent to the application, so we have to get much trickier.

We're going to use a redirect to set the browser's URL to the same URL without the anchor, thus preventing the attack. But we have to be able to tell the difference between the first request, and the redirected request. So we're going to add a temporary token to the URL, which we'll verify when it arrives. We don't want an attacker forging one of these tokens, so we're going to encrypt the user's source IP address along with a timestamp.

Download

The source code (one file) and the compiled class file are in a single zip file.

Setup

The first step is to add the filter to our application. All we have to do is put the PDFAttackFilter class on our application's classpath, probably by putting it in the classes folder in WEB-INF. The class file should be in a folder structure that matches the package (org -> owasp -> filters -> PDFAttackFilter). You can extract the class file from the zip file.

Then we just have to add the following to our web.xml. You should paste this in right above your servlet definitions. You'll want to change the mapping so that it only applies to URL's that serve a PDF file. You could use /*.pdf, but you may have servlets that stream PDF files that down't end in .pdf.